Skip to content

Commit

Permalink
fix(adapters): Make adapters to update their policies info in NP status
Browse files Browse the repository at this point in the history
Signed-off-by: Anurag Rajawat <[email protected]>
  • Loading branch information
anurag-rajawat committed Feb 13, 2024
1 parent 69a1bc3 commit b3192c3
Show file tree
Hide file tree
Showing 6 changed files with 82 additions and 9 deletions.
2 changes: 0 additions & 2 deletions pkg/adapter/nimbus-kubearmor/go.sum
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
github.com/5GSEC/nimbus v0.0.0-20240129090659-01178b5c28c7 h1:adBGcrCAKeU7PLiz6m2c+3c8uuL5UPkHN5O6FHJQm7I=
github.com/5GSEC/nimbus v0.0.0-20240129090659-01178b5c28c7/go.mod h1:VXo/w78XDmQEunuZYIsDyGDthCKealQR13X9OkY25D0=
github.com/5GSEC/nimbus v0.0.0-20240208070656-624660f34768 h1:v2fY3lWXydstfekQSHs9n0TpNnTteC7Iws3ojwGtFJk=
github.com/5GSEC/nimbus v0.0.0-20240208070656-624660f34768/go.mod h1:yw79m9f1+f3tBSZCMQKbNVKL39Q71FyGyoa8nClo1Hs=
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
Expand Down
15 changes: 14 additions & 1 deletion pkg/adapter/nimbus-kubearmor/manager/manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,6 @@ import (

var (
scheme = runtime.NewScheme()
np intentv1.NimbusPolicy
k8sClient client.Client
)

Expand Down Expand Up @@ -80,6 +79,7 @@ func Run(ctx context.Context) {
func reconcileKsp(ctx context.Context, kspName, namespace string, deleted bool) {
logger := log.FromContext(ctx)
npName := adapterutil.ExtractNpName(kspName)
var np intentv1.NimbusPolicy
err := k8sClient.Get(ctx, types.NamespacedName{Name: npName, Namespace: namespace}, &np)
if err != nil {
if !errors.IsNotFound(err) {
Expand All @@ -97,6 +97,7 @@ func reconcileKsp(ctx context.Context, kspName, namespace string, deleted bool)

func createOrUpdateKsp(ctx context.Context, npName, npNamespace string) {
logger := log.FromContext(ctx)
var np intentv1.NimbusPolicy
if err := k8sClient.Get(ctx, types.NamespacedName{Name: npName, Namespace: npNamespace}, &np); err != nil {
logger.Error(err, "failed to get NimbusPolicy", "NimbusPolicy.Name", npName, "NimbusPolicy.Namespace", npNamespace)
return
Expand Down Expand Up @@ -138,6 +139,18 @@ func createOrUpdateKsp(ctx context.Context, npName, npNamespace string) {
}
logger.Info("KubeArmorPolicy configured", "KubeArmorPolicy.Name", existingKsp.Name, "KubeArmorPolicy.Namespace", existingKsp.Namespace)
}

// Due to adapters' dependency on nimbus module, the docker image build is
// failing. The relevant code is commented out below (lines 151-153). We shall
// uncomment this code in a subsequent PR.

// Every adapter is responsible for updating the status field of the
// corresponding NimbusPolicy with the number and names of successfully created
// policies. This provides feedback to users about the translation and deployment
// of their security intent.
//if err = adapterutil.UpdateNpStatus(ctx, k8sClient, "KubeArmorPolicy/"+ksp.Name, np.Name, np.Namespace); err != nil {
// logger.Error(err, "failed to update KubeArmorPolicies status in NimbusPolicy")
//}
}
}

Expand Down
1 change: 0 additions & 1 deletion pkg/adapter/nimbus-netpol/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ require (
github.com/cespare/xxhash/v2 v2.2.0 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/emicklei/go-restful/v3 v3.11.2 // indirect
github.com/evanphx/json-patch v5.7.0+incompatible // indirect
github.com/evanphx/json-patch/v5 v5.9.0 // indirect
github.com/fsnotify/fsnotify v1.7.0 // indirect
github.com/go-logr/zapr v1.3.0 // indirect
Expand Down
3 changes: 1 addition & 2 deletions pkg/adapter/nimbus-netpol/go.sum
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
github.com/5GSEC/nimbus v0.0.0-20240129090659-01178b5c28c7 h1:adBGcrCAKeU7PLiz6m2c+3c8uuL5UPkHN5O6FHJQm7I=
github.com/5GSEC/nimbus v0.0.0-20240129090659-01178b5c28c7/go.mod h1:VXo/w78XDmQEunuZYIsDyGDthCKealQR13X9OkY25D0=
github.com/5GSEC/nimbus v0.0.0-20240208070656-624660f34768 h1:v2fY3lWXydstfekQSHs9n0TpNnTteC7Iws3ojwGtFJk=
github.com/5GSEC/nimbus v0.0.0-20240208070656-624660f34768/go.mod h1:yw79m9f1+f3tBSZCMQKbNVKL39Q71FyGyoa8nClo1Hs=
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
Expand Down Expand Up @@ -154,6 +152,7 @@ golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roY
golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc=
golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
Expand Down
15 changes: 14 additions & 1 deletion pkg/adapter/nimbus-netpol/manager/netpols_manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,6 @@ import (

var (
scheme = runtime.NewScheme()
np intentv1.NimbusPolicy
k8sClient client.Client
)

Expand Down Expand Up @@ -80,6 +79,7 @@ func Run(ctx context.Context) {
func reconcileNetPol(ctx context.Context, netpolName, namespace string, deleted bool) {
logger := log.FromContext(ctx)
npName := adapterutil.ExtractNpName(netpolName)
var np intentv1.NimbusPolicy
err := k8sClient.Get(ctx, types.NamespacedName{Name: npName, Namespace: namespace}, &np)
if err != nil {
if !errors.IsNotFound(err) {
Expand All @@ -97,6 +97,7 @@ func reconcileNetPol(ctx context.Context, netpolName, namespace string, deleted

func createOrUpdateNetworkPolicy(ctx context.Context, npName, npNamespace string) {
logger := log.FromContext(ctx)
var np intentv1.NimbusPolicy
if err := k8sClient.Get(ctx, types.NamespacedName{Name: npName, Namespace: npNamespace}, &np); err != nil {
logger.Error(err, "failed to get NimbusPolicy", "NimbusPolicy.Name", npName[0], "NimbusPolicy.Namespace", npName[1])
return
Expand Down Expand Up @@ -138,6 +139,18 @@ func createOrUpdateNetworkPolicy(ctx context.Context, npName, npNamespace string
}
logger.Info("NetworkPolicy configured", "NetworkPolicy.Name", netpol.Name, "NetworkPolicy.Namespace", netpol.Namespace)
}

// Due to adapters' dependency on nimbus module, the docker image build is
// failing. The relevant code is commented out below (lines 151-153). We shall
// uncomment this code in a subsequent PR.

// Every adapter is responsible for updating the status field of the
// corresponding NimbusPolicy with the number and names of successfully created
// policies. This provides feedback to users about the translation and deployment
// of their security intent.
//if err = adapterutil.UpdateNpStatus(ctx, k8sClient, "NetworkPolicy/"+netpol.Name, np.Name, np.Namespace); err != nil {
// logger.Error(err, "failed to update NetworkPolicies status in NimbusPolicy")
//}
}
}

Expand Down
55 changes: 53 additions & 2 deletions pkg/adapter/util/nimbuspolicy_util.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,61 @@
package util

import (
"context"
"strings"

"k8s.io/apimachinery/pkg/types"
"k8s.io/client-go/util/retry"
"sigs.k8s.io/controller-runtime/pkg/client"

intentv1 "github.com/5GSEC/nimbus/api/v1"
)

func ExtractNpName(kspName string) string {
words := strings.Split(kspName, "-")
// ExtractNpName extracts the actual NimbusPolicy name from a formatted policy
// name.
func ExtractNpName(policyName string) string {
words := strings.Split(policyName, "-")
return strings.Join(words[:len(words)-1], "-")
}

// UpdateNpStatus updates the provided NimbusPolicy status with the number and
// names of its descendant policies that were created.
func UpdateNpStatus(ctx context.Context, k8sClient client.Client, currPolicyFullName, npName, namespace string) error {
// Since multiple adapters may attempt to update the NimbusPolicy status
// concurrently, potentially leading to conflicts. To ensure data consistency,
// retry on write failures. On conflict, the update is retried with an
// exponential backoff strategy. This provides resilience against potential
// issues while preventing indefinite retries in case of persistent conflicts.
if retryErr := retry.RetryOnConflict(retry.DefaultRetry, func() error {
latestNp := &intentv1.NimbusPolicy{}
if err := k8sClient.Get(ctx, types.NamespacedName{Name: npName, Namespace: namespace}, latestNp); err != nil {
return nil
}

updateCountAndPoliciesName(latestNp, currPolicyFullName)
if err := k8sClient.Status().Update(ctx, latestNp); err != nil {
return err
}

return nil
}); retryErr != nil {
return retryErr
}
return nil
}

func updateCountAndPoliciesName(latestNp *intentv1.NimbusPolicy, currPolicyFullName string) {
if !contains(latestNp.Status.Policies, currPolicyFullName) {
latestNp.Status.NumberOfAdapterPolicies++
latestNp.Status.Policies = append(latestNp.Status.Policies, currPolicyFullName)
}
}

func contains(existingPolicies []string, policy string) bool {
for _, existingPolicy := range existingPolicies {
if existingPolicy == policy {
return true
}
}
return false
}

0 comments on commit b3192c3

Please sign in to comment.